Malware Analysis Primer#

Goals of Malware Analysis#

To determine what exactly has happened to ensure that you’ve located all infected machines and files and then develop signatures (host and network)
Types of signatures
- Host based are used to detect malicious code on victim computers by identifying created or modified files by malware
- Network based are used to detect malicious code by monitoring network traffic
Finally we figure out how the malware works

Malware Analysis Techniques#

Types of techniques
- Static Analysis
  - Examining the executable
  - Reverse engineering the malware’s internals by disassembling it and looking at it’s instructions
- Dynamic Analysis
  - Running the malware and examining its behavior in order to remove it’s infection and create signatures
  - Quite often we use debugger to understand how malware is being
Types of Malware
- Backdoor —> Malicious code that is installed and allows attacker to gain access to local system with little or no authentication
- Botnet —> Similar to backdoor but it allows attacker to send command from a central command-and-control (C2) server
- Downloader —> Malicious code which downloads additional malicious code
- Information stealing malware —> Malware which steals sensitive data from victim’s computer and sends it to attacker
- Launcher —> Used to launch other malicious programs
- Rootkit —> Code designed to hide other malicious programs
- Scareware —> Designed to frighten the user into buying “software”
- Span-Sending Malware —> Sends spam allowing attackers to generate income by that process
- Worm or Virus —> Code that can copy itself and infect additional computers
Tips and Tricks
- Focus on key features rather than dissecting every details as malware is a complex piece of software
- Try analyzing malware with different approaches and angles using different tools, don’t get stuck on one
- Recognize, understand and defeat the new and approaching techniques written by malware authors on the fly